'Mirai bots' cyber-blitz 1m German broadband routers – and your ISP could be next

Malware waltzes up to admin panels with zero authentication

A widespread attack on the maintenance interfaces of broadband routers over the weekend has affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany.

The German Federal Office for Information Security (BSI) issued a statement indicating that the cyber-assault, which was detected on Sunday and continued into Monday, has also targeted government networks, but has been inconsistent in its effect due to protective measures.

A modified version of the Mirai worm – which commandeered huge numbers of CCTV cameras and other Internet-of-Things gear – is now scanning home routers for security vulnerabilities, and either crashing or hijacking devices. This upgraded malware, and similar software nasties, were likely behind the weekend's outage in Germany, by attacking the modems' maintenance interface on port 7547.

Deutsche Telekom has issued a patch for two models of its Speedport broadband routers (Speedport W 921V, Speedport W 723V Type B) and offered affected customers a free day-pass for internet access through mobile devices while the issue gets resolved.

The Register last week reported that tens of thousands of Eir broadband modems in Ireland appeared to be vulnerable to remote takeover via TCP port 7547, following the publication of a proof-of-concept exploit.

In an email to The Register, Darren Martyn, who works at Xiphos Research in the UK, said that there are two issues with the Eir D-1000 broadband router, made by ZyXEL.

The first problem, he said, is that TR-064 interface is accessible via the internet-facing WAN port and allows remote management with no authentication.

This appears to be a consequence of TR-069 – aka the Customer-Premises Equipment WAN Management Protocol – which typically makes TCP/IP port 7547 available. ISPs use this protocol to manage the modems on their network. However, on vulnerable boxes, a TR-064-compatible server is running behind that port and thus accepts TR-064 commands that configure the hardware without authentication.

The second problem, according to Martyn, is that the SetNTP Server functionality in the router's TR-064 implementation is vulnerable to command injection.

"The first issue, that of TR-064 being wide open to the internet, affects a whole host of other ISPs and vendors, and is, in fact, just as serious as the second one," said Martyn.

Martyn said he has confirmed that two routers provided by UK ISP TalkTalk are vulnerable – a ZyXEL modem and the D-Link DSL-3780. And he said that devices from T-Com/T-home (SpeedPort), MitraStar, Digicom, and Aztech are also at risk. In a tweet on Monday, Martyn said he has found 48 devices that are vulnerable to the TR-069/TR-064 issue.

All together, this suggests this particular security nightmare is widespread. It goes beyond Deutsche Telekom, Eir and TalkTalk: ISP subscribers using the aforementioned weak modems are at risk of infection or losing their connectivity until their firmware is updated.

The Register asked TalkTalk for comment today and was told that a response will not be immediately forthcoming because the working day in the UK was just ending.

"The TR-064 interface being accessible via WAN with no authentication means that just about anyone on the internet can interact with it, and reconfigure the device remotely," said Martyn.

What's at risk

An attacker could thus alter the DNS settings of the router, alter the port forwarding settings, steal Wi-Fi credentials, and update the ACS/Provisioning Server configuration settings, among other things. Changing the configuration details thus would allow an attacker to manage hijacked devices using an ISP's ACS management software, Martyn explained.

A metasploit module incorporating the vulnerability was created earlier this month. According to a post in the SANS ISC InfoSec Forum, it appears that the exploit is being used in a modified Mirai botnet.

On Monday, in an emailed statement to The Register, Eir said it has been made aware of potential security vulnerabilities in its ZyXEL D1000 and ZyXEL P-660HN-T1A devices, which account for approximately 30 per cent of its retail customers' broadband modems.

As of September, Eir had about 867,000 broadband customers, which includes 443,000 retail customers and 424,000 wholesale broadband connections. So approximately 130,000 Eir customers may be affected.

"We have been working with ZyXEL, the supplier, and we have deployed a number of solutions both at the device and network level which will remove this risk," said Eir's spokesperson. "All of the potentially affected modems are now protected with the network mitigation we have taken. We continue to deploy the firmware patch."

Eir is recommending that customers with affected modems change both the administrative password and the Wi-Fi password. The two passwords should not be the same.

A Shodan search [login required] indicates that approximately five million devices offer a service on port 7547 over the internet. While not all of these devices are necessarily vulnerable, plenty of them are. ®